FAQ
  1. The Vuln.dll example file gives a script error but not a crash?

    Vuln.dll is not registered during installation. Make sure to register it with regsvr32.exe before trying out the example vuln server.

  2. Can I fuzz objects that do not support IDispatch? - No

    the object must be scriptable hence must support the IDispatch or IDispatchEx interface

  3. Can i call methods on any interface of a COM Object? - No

    Scripting clients can only access methods on the default interface of a COM Object

  4. Can I fuzz objects which do not implement IObjectSafety - Yes

  5. Can I customize the fuzz test arguments easily - Yes

    Edit BuildArgs.vbs in your text editor of choice.

  6. Sometimes I get timeout errors when running COMRaider unattended?

    There are several things that can cause timeout errors. If the ActiveX control you are examining displays a modal dialog that COMRaider can not close then you will receive timeout errors.

    COMRaider's Window monitor will look for system modal dialogs of a certain class and try to click their "OK" button to close them out. The Window monitor uses the Windows API GetForegroundWindow on a timer to locate popups. This mechanism can fail if another application takes focus away from COMRaider's main window, or if a screen saver becomes active. You may have to intermittantly monitor COMRaiders status while it is running its test scripts, and it is recommended to run it on a dedicated (vm)machine where it can run uninterrupted for long periods if conducting large audits.

  7. How can i tell if an Object can be loaded in IE without warning?

    There are three ways to test this. On the load file or type library viewer form this information may be directly presented to you if you used builddb.exe to load the audit database.

    If you used the default registry scanning mode to build your database, you can also use the "View Object Safety Report" menu item which is found on several forms to display the report on a case by case basis.

    Lastly, you can also choose the "Test Exploit in IE" menu item on either the debugger form or the type library viewer form to have load a test page directly in IE. If you choose this option from the type library viewer form, what you are testing is to see if you get an ActiveX warning dialog. A generic script error should be expected here because we are just embedding the object and not properly calling any of its methods. If you choose this menu item from the debugger form, then it will convert the wsf test file into html and try to render it in IE.

  8. Should i use the simple or extended scanning mode to locate controls on my system? -

    Absolutely start with the simple default registry based mode. You will not loose any anything and it will give you time to get you used to COMRaider before you get audit hungry and need more to fill your appetite. (See options page for more details).

    Note that simple scanning mode does not save Object Safety report information to the database when it is built. If you want the extended information immediately available it is recommended to use the extended scan mode.

  9. Is it worth setting up the distributed mode even if i am working by myself.

    I would recommend it so you can take advantage of its organization features, even if you just setup the DSN to point to your local access database as you would do for travel mode. (See Distributed Auditing page for more details)

  10. Sometimes COMRaider hangs on startup with the message trying to connect to server?

    If you are in distributed auditing mode the first thing COMRaider will do on startup is try to test its database connection to your network sql server. If the server is unavailable the mysql driver will hang the process until the connection times out.

  11. I dont want to scan one class at a time, I want to scan the whole library!

    If you are loading classes from the directory scanner or load in ie forms, then the type library viewer will be in filter mode displaying only the target class you selected.

    ActiveX dlls often support more than one class per dll, you can see how many classes are in even a filtered dll by clicking on the root node of the tlb viewer form and looking for the Number of Classes info field. If you want to see them all, just right click on the top most node and select the "View all Classes" menu item.

    Once all classes are displayed, you can then right click on the top node again and choose "Fuzz Entire Library" menu item.

  12. I dont want to just fuzz the entire library, I want to fuzz a bunch of entire libraries!

    There are several ways to accomplish this. The easiest is to use the "Fuzz library" option from the Load in IE or Scan for COM Servers forms.

  13. Sometimes application defined errors or VC seh errors show exception addresses within Kernel32 that dont make much sense like pop edi in the disassembly why?

    I dont pretend to know all the in's and out's of how MS implemented their seh. For now I will just accept this 'display bug' until i have more reading time on my hands.

  14. Object safety report on Load in IE form and type lib viewer does not seem to have as much info on my screen as it does in the screen shots?

    The Object safety info shown on these forms is queried from the database. If you built your clsid list from the simple registry scanning mode, this information is not included in the database and so is not directly available. You can still however view this information on demand by choosing the "View object Safety Report" menu item on these forms which will spam builddb.exe and instruct it to only show you the IObjectSafety report for the particular clsid which you have specified.

  15. Where are generated fuzz files saved to?

    All fuzz files will be saved to folders of the following format:

    c:\comraider\[lib_name]\[method_name]\[random.wsf]





Wish list features for some future version
  • data from api log need to be able to trigger alerts (user configurable match strings)
  • search api logs after fuzzing
  • hooking wchar api fx
  • display killbit status for classes